Dueling auth-constraint elements

Roy Simon

Ranch Hand

Posts: 62

posted 10 years ago

hi,

have a question on web-app security... when having more than one <security-constraint> elements in the DD with conflicts... the HFS book describes how the various conflicts can be resolved... here is the DD..

<security-constraint> <web-resource-collection> <web-resource-name>Something</web-resource-name> <url-pattern>/me/Display/*</url-pattern> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> ///this or is this tag is not included at all... <role-name>*</role-name> </auth-constraint> </security-constraint>

the book discusses all combinations except this one ... one that allows all roles to request and one that allows none to access... though the DD may not make sense nevertheless it is one valid combination... The HFS book says that an empty <auth-constraint/> has the final word but the next line says that --- "If one of the <security-constraint> elements has not <auth-constraint> element then it combines with anything else to allow access to all"... so does the abv combination allow access to all roles or does it prevent access to all....

Assuming the url-pattern tag closed properly. The above web.xml entry does permit access to anyone for /me/Display/* matching resource and POST method due to the <auth-constraint/> entry. But all the other method of the same resource are open i.e. access is permitted to anyone.

Thanks

Narendra Dhande
SCJP 1.4,SCWCD 1.4, SCBCD 5.0, SCDJWS 5.0, SCEA 5.0

Gaurav Gambhir

Ranch Hand

Posts: 256

posted 10 years ago

quote"Assuming the url-pattern tag closed properly. The above web.xml entry does permit access to anyone for /me/Display/* matching resource and POST method due to the <auth-constraint/> entry. But all the other method of the same resource are open i.e. access is permitted to anyone."

Narendra <auth-constraint/> means no roles have access. How come it does permit access to anyone for /me/Display/* due to <auth-constraint/> entry

Simon, you are right there are no comments in HFSJ on the combination of

<auth-constraint/> entry

along with

<auth-constraint> ///this or is this tag is not included at all... <role-name>*</role-name> </auth-constraint>

HFSJ shouldn't have to give that example because it says that an empty <auth-constraint/> always gets the final word.

A good workman is known by his tools.

Narendra Dhande

Ranch Hand

Posts: 951

posted 10 years ago

Hi Gaurav,

Sorry for the typo. I want to say

Assuming the url-pattern tag closed properly. The above web.xml entry does NOT permit access to anyone for /me/Display/* matching resource and POST method due to the <auth-constraint/> entry. But all the other method of the same resource are open i.e. access is permitted to anyone.

A single missing word really change the meaning of the statement.

Thanks

Narendra Dhande
SCJP 1.4,SCWCD 1.4, SCBCD 5.0, SCDJWS 5.0, SCEA 5.0

Gaurav Gambhir

Ranch Hand

Posts: 256

posted 10 years ago

Thanks Marc & Narendra So now I got it an empty <auth-constraint/> always gets the final word.